Paralliversehttps://log0.wordpress.com
Tue, 26 Sep 2017 07:02:57 +0000enhourly1http://wordpress.com/https://s2.wp.com/i/buttonw-com.pngParalliversehttps://log0.wordpress.com
onhacks.org – where I amhttps://log0.wordpress.com/2008/12/21/onhacks-org-where-i-am/
https://log0.wordpress.com/2008/12/21/onhacks-org-where-i-am/#respondSun, 21 Dec 2008 09:46:33 +0000http://log0.wordpress.com/?p=183]]>It’s been great writing here and carving deep my knowledge to myself and hopefully, to you who came. And thanks a lot for those who have written comments and also sending email to me on ideas and improvements. =)

As some of you might know, this page is not readily accessible in China. Hence, I am now moving to here :

Where I will write with in English, Traditional Chinese and Simplified Chinese covering various aspects in Security and also the security view in China.

]]>https://log0.wordpress.com/2008/12/21/onhacks-org-where-i-am/feed/0Log0Some Good Stuffs to Readhttps://log0.wordpress.com/2008/12/09/some-good-stuffs-to-read/
https://log0.wordpress.com/2008/12/09/some-good-stuffs-to-read/#respondTue, 09 Dec 2008 01:42:30 +0000http://log0.wordpress.com/?p=176]]>Well, these articles really enlighten you on matters, even if you know about them. I recommend them to my fellow knowledge-thirsty visitors to take a look at them.

I wrote a simple script to set some cookies, and found some cute numbers on the maximum cookies to be set per domain name per path. The cookies are in the form of <key>=<val>, e.g. 1=1, 2=1, 3=1, 4=1. The length of the cookie name matters, as I found out.

Except Safari 3, all browsers have a limit on the number of cookies to be set. I guess Safari is using a link list for that. For most browsers, although the HTTP Response code is 200, they will report the page as cannot be displayed. However, for Safari, since it has no limit, when the cookie headers are too long ( > 7619 ), Apache replies with a 400 Bad Request.

Haven’t think of any interesting tests yet, but feel free to discuss if there is anything we can do about them. By the way, I remember hotmail sets a whole lot of cookies, like BrowserSense and BS are just duplicates obviously (legacy code, yeehh!), I wonder are they hitting the limits soon? =)

The Tencent Traveller 2, as I will bet none of you outside of China will know about, is actually a browser in China that is built on top of IE7. Consider a GUI on top of IE7, and it even uses cookies of IE7, too. I have no idea of its adoption in China. Only after testing I realized I am using a very old version of it. I’ll see if there’s anything interesting in its newest version, 4.4.

]]>https://log0.wordpress.com/2008/12/08/first-look-on-cookies/feed/4Log0cookie_monsterHow to debug a Stack Overflow for beginners?https://log0.wordpress.com/2008/12/05/how-to-debug-a-stack-overflow-for-beginners/
https://log0.wordpress.com/2008/12/05/how-to-debug-a-stack-overflow-for-beginners/#commentsFri, 05 Dec 2008 09:21:03 +0000http://log0.wordpress.com/?p=96]]>How do you debug a stack overflow?

If you rarely touch debuggers, the above question will be difficult to answer, and if now you are faced with some cryptic failure and error codes. Awww.

Today I am going to share with you my experience in a powerful debugger called WinDBG. This is going to be a very long journey. On we go!

===

The Beginning

The first step in dealing with whatever bugs, is find a solid way to reproduce the bug. If it cannot be reproduced, how can you prove it is gone when you fixed it? Absence of evidence does not imply evidence of absence! Since it is different for all bugs, find the steps to reproduce the bug now and come back.

Have you got it? Make sure you do. You really need it.

Let’s begin.

—

Start the faulting process and attach WinDBG to it. Supply the path to the right symbols, and source files if you feel need them. The symbol files are called PDB. Without symbols, you will have a very hard time doing debugging in general. With the right source, you can free yourself from looking into assembly. ( Note that source can be incorrect! Assembly does not lie. )

An example for the symbols path could be the Microsoft Symbol Server, and my own symbols :

Now let’s download the symbols, /f for reload immediately. The DLL has embedded information and knows where to look for the PDB in the symbol server.

.reload /f

This will force all the modules to find their corresponding PDB symbols. It will take some time. The symbols will be cached at D:\local_SymbolDownstreamStore as specified above. Next time you do not need to wait that long.

List loaded modules, no arguments for showing all of them. This shows all the DLLs that is loaded into memory so far. Before we start doing any debugging, we have to make sure if the modules we want to debug have the right symbols.

Got it? Good. WinDBG should have halted by now. And the *BUSY* is gone. The next step is optional : create a memory dump in case you need to bring the debugging elsewhere or do it later.

.dump /ma C:\memory.dmp

The flag /m is to create a minidump, and with “a” it is equivalent to “fFhut” as well, which effectively means dump everything out. Funny thing is that a mini dump is bigger than a full dump – legacy stuffs.

The first thing you do on a crash, is to do the !analyze, with -v as verbose. It will do all the grunt work to analyze the information for you and save you a lot of time.

STACK_COMMAND – This gives us a short hand to get more information on the stack by executing it in WinDBG command prompt.

MODULE_NAME – The crashing module name in the executable.

IMAGE_NAME – The crashing module file name in the file system.

FAULTING_THREAD – The thread ID of the thread that is active at the moment of crash.

FAULTING_SOURCE_CODE – If you have the right source code and symbols, this can pinpoint the source code where the crash happens.

STACK_TEXT – If you have not the right source code, this gives you the idea what happened.

ERROR_CODE – The error code of the exception that caused this crash.

DEFAULT_BUCKET_ID – The category of the problem we experience.

We got a stack overflow – 0xc00000fd ( You can find that in ntstatus.h ). We also know that the faulting thread is 1. In the above, sometimes you might not get the source code but the STACK_TEXT instead. The STACK_TEXT is the stacktrace of the faulting thread. It is present when you do not have the source code. Manually, you can type ~<thread number>s where thread number is the thread you want to see. In this case, it is 1. You can use the STACK_COMMAND as supplied above by the analysis, ~1s; .ecxr ; kb ;.

Ahhh, do you see the StackBase and StackLimit? Their difference is the stack reserve limit for this thread, note that this can be different for every other thread. ( DA0000 – D61000 = 3F000 ) and you got 252kb roughly.

The first column is the address in the stack. The second column is the return address. The third, forth and fifth column are the arguments to the function call. We are concerned with the first column and the top and bottom of the stack trace. Their difference gives the amount of memory used on the stack.

To calculate the amount of memory used, do a subtraction ( D9FFEC – D63858 = 3C794 ) and … 242kb. There we go! This thread is topping the limit of 252kb, and it seems it just hit the top. However, we still have to find out what caused this memory usage in the first place.

I have truncated the above stack trace, which is about thousands of lines. There is a recurring CreateInstance in general. I counted there are 37 instances of it, and each of them uses about 6.8kb. ( 6.8kb * 37 = 251.6kb ) Boom!!!

Ignore this paragraph : After some studying, it turns out that the cause is that a COM Single-Threaded Apartment allows pre-emption if the main thread is performing an Out-of-proc call, which is a by-product of the Windows Message Loop. The official workaround is to use the IFilter and implement the whole thing yourself. YUCKS! Whatever, that is the reason to a program I’m working on. It might be different for you.

MACHINE BENT! ( This is a my native language slang for almost anything, in this case “Gotcha!” )

By the way, you can also check if this thread is specially allocated only 252kb of stack reserve, or it is a executable limit. Let’s dump the executable headers information. The generic command is “dh <module start addr>” :

!dh 01000000|CrashingProgram.exe -f

252 kb for stack reserves. I got the 01000000 from the “lm” command above. The two hex numbers are starting address and ending address of the loaded code :

The Words

Wow! That’s all for such a boring tutorial. I removed some information from the stacktraces above, though I believe the information above is adequate for your understanding. I hope you find this article helpful for bootstrapping your debugging experience, as it can be very fun.

If you know where I am doing badly, remember to tell me as I am … a beginner! ( Hey! I am a web application security dude! )

]]>https://log0.wordpress.com/2008/12/05/how-to-debug-a-stack-overflow-for-beginners/feed/5Log0I am NOT dead.https://log0.wordpress.com/2008/12/04/i-am-not-dead/
https://log0.wordpress.com/2008/12/04/i-am-not-dead/#commentsThu, 04 Dec 2008 17:21:03 +0000http://log0.wordpress.com/?p=94]]>I know I look like I’m dead and abandoning this place

Nah.

I am just too busy last month on life matters and so, and I nearly got killed by the food in China, and now I am going to come back on track!
And I might be moving my blog once again, because my China friends aren’t making to this webpage. So sad. Anyway, I am having my next post ready, with images!

To understand this, we must understand how integers work in the reality and the binary world.

In reality, integers form a countably infinite set [1]. They have no upper or lower limits. So, in our mind, we can visualize it this way :

The line expands forever to the left and forever to the right.

In the binary world, this is another story. For an integer, we have only 4 bytes ( 32 bits ). By nature, an integer can only represent as many as 2^32 = 4294967296 values. Which means, integers in computers cannot represent the countably infinite nature of integers as in reality. Once the limits are exceeded, it wraps around. Like a wheel :

As you can see, if you subtract 1 from -2147483648 (-2^31), the integer in binary world no longer behaves in what we believe.

(-2^31) – 1
= -214783648 – 1
= +2147483647

Notice that overflowing by subtracting 1 from -(2^31) does not yield (2^31) but (2^31-1). Why? Because 0 is also a value in integer, and thus requires one representation as well. Now there are only (2^32-1) choices left, and so the positive value of -(2^31) is now missing.

That is what Tom is talking about. Since the positive of -(2^31) cannot be represented, -(-(2^31)) = -(2^31).

]]>https://log0.wordpress.com/2008/10/24/basics-of-integer-in-binary/feed/0Log0overflow1overflow21Do Not Detect Overflow With Overflowhttps://log0.wordpress.com/2008/10/13/do-not-detect-overflow-with-overflow/
https://log0.wordpress.com/2008/10/13/do-not-detect-overflow-with-overflow/#commentsMon, 13 Oct 2008 07:33:52 +0000http://log0.wordpress.com/?p=66]]>Credits to a gweilo for the sharing below.

Integer overflow and underflow manifest themselves as vulnerabilities. Here is an overflow bug fired by Sir BugFinder. I assigned our fictional developer Sir FastFix ownership of the bug, and he jumped into the code straight.

param is now checked with the condition (param > param + 1). Since it must be false, an overflow must have occurred if it is true. Intuitive.

param is now unsigned using UWORD, and not signed SWORD. I find no reasons for negative buffers. A good move.

But, something smells stinky. Let’s think again.

Why not use well-defined constants like MAX_INT, MAX_SHORT or MAX_LONG constants to check before incrementing param? Like MAX_INT – a < b ?

Why the code to detect overflow is using yet another overflow to check?

Sir FastFix, I am not approving this code check-in. This fix is not going in anywhere into the source tree. Who knows what this overflow to check overflow can result in? Let’s write more solid and not college quality code, and not rushing to resolve the bug.

]]>https://log0.wordpress.com/2008/10/13/do-not-detect-overflow-with-overflow/feed/7Log0China is a Good Place to Pen Testhttps://log0.wordpress.com/2008/09/29/pen-test-china/
https://log0.wordpress.com/2008/09/29/pen-test-china/#commentsMon, 29 Sep 2008 05:06:23 +0000http://log0.wordpress.com/?p=61]]>

In the midst of crazy work, I breezed through certain websites and randomly injected some simple attack vectors over this month in China. I found several large sites that are vulnerable to XSS and SQL Injection.

Large sites including DangDang, Sina China, Sogou, Baidu, some of them fixed the problems after emailing them or maybe after reading the logs, too. However, the SQL Injection in DangDang remains unfixed and that is not good. I will not disclose here though ( you can certainly find it easily. It is just simple and buggy. )

To give you an idea of how big the sites above are relative to China, here are some analogies :

I guess I will have to find more time to play with these sites to look for more holes. But for now, I have tons of work piling up. Ouch. I have vacation today, in office.

]]>https://log0.wordpress.com/2008/09/29/pen-test-china/feed/6Log0holes1More About the Characters Causing XSS in Operahttps://log0.wordpress.com/2008/09/17/xss-characters-in-opera/
https://log0.wordpress.com/2008/09/17/xss-characters-in-opera/#respondWed, 17 Sep 2008 16:35:14 +0000http://log0.wordpress.com/?p=55]]>I talked about an XSS in Opera 9.51 as discovered by Chris Weber [1]. I talked with Chris and he hinted me something about the character encoding, which I certainly have little concept about it, and I found out why it is happening.

U+180E is a Mongolian Vowel Separator character [4], and U+180F is a non-existent character. Somehow U+180E fall into the Space Separator category as well. For U+180F, I really have no idea how it happened. If you know what is happening, I really appreciate your sharing.

Well, quite a good lesson on international character sets, no? I really recommend Chris Weber’s blog [5] because it contains a lot of information on character encoding and web application security that you should not miss it out.

]]>https://log0.wordpress.com/2008/09/17/xss-characters-in-opera/feed/0Log0My Performance Test on Browsershttps://log0.wordpress.com/2008/09/17/my-performance-test-on-browsers/
https://log0.wordpress.com/2008/09/17/my-performance-test-on-browsers/#commentsWed, 17 Sep 2008 11:12:53 +0000http://log0.wordpress.com/?p=50]]>While playing with browsers last time on character encoding issues, I timed every browser loading 10000 non-existent image tags. As you may have guessed, the script is this :

<img src=non-existent&onerror=alert(1) />

Notice that the javascript is rarely involved unless the exploit succeeded. So for almost all the cases only the image tag is involved, and not the Javascript Engine.

The test is conducted on a VMWare Windows XP Single Core 2 GHz CPU with 256 RAM. A poor specification but nonetheless helps to magnify the problems in within.

With 10000 image tags on a single page, the test is conducted without closing the browser process for 6 iterations so as to capture possible memory leaks and consistent results. The results is as follows :

Browser name

Time (seconds)

Opera 9

61.2

90.9

44.2

54.5

47.2

58.2

Chrome 0.2

102.6

120.3

109.6

122.9

N/A

N/A

Firefox 3

41.8

50.1

45.1

52.1

57.4

66.6

Internet Explorer 7

9.2

8.3

8.8

8.0

8.5

8.9

Safari 3

84.2

79.0

138.4

352.6

(>900)*

N/A

* – Safari 3 only executed 3/4 of the scripts after 900 seconds, and was terminated because it is too slow.

Opera 9 – It scores consistently at about 50 seconds except for the 2nd iteration, which is quite good for 10000 tags. At such a poor specification, it is very responsive although it is heavily loaded.

Chrome 0.2 – It is slow at some 110 seconds, and scores consistently bad. The browser also literally hung and remains unusable during the load. As it is a beta, I am sure they will improve in time.

Firefox 3 – Fast at 50 seconds, but seems to have a slowing trend, could be caused by memory problems although formal memory profiling suggests otherwise [1]. Facts are facts. Overall experience is very responsive despite the heavy load.

Internet Explorer 7 – 8 seconds. Internet Explorer 7 seems to perform very well on such failing image tags, scoring consistently over the 6 iterations, and no signs of memory leakage. Probably optimizations are behind the scenes.

Safari 3 – An obvious growing trend from 80 seconds to exceeding 300 seconds, and took 900 seconds just to execute about 7500 of the image tags in the page at the 5th iteration. Obvious memory leakage and other problems are behind. The browser stays responsive, but its crawling speed is making it unusable.

Conclusion :

It seems to me the worst browser seems to be Safari here. If a formal performance test is conducted on such browsers, it may tell a lot more. But meanwhile, I do not have a reason to use Safari unless I want to test any new Carpet Bombing. =) Firefox 3 is still the road to go! And in China, inevitably the IE7 as well.

This is not a formal performance test and the test case consists of just a single type of script. I am just magnifying the case when a page has more images and seeing what are the capabilities of the browser is. I think IE7 should really get rid of that odd loading at the start of the browser, and maybe it can help pull back the users from Firefox 3.